Tot i que pot servir per a qualsevol proveïdor que disposi d’una API amb OpenID, aquest document es centre amb Google.
Per tal de fer aquesta autenticació, necessitem instal·lar el mòdul OpenID a l’Apache…
apt-get install libapache2-mod-auth-openidc
Un cop instal·lat, l’hem d’activar…
a2enmod auth_openidc
I reiniciar l’Apache…
/etc/init.d/apache2 restart
Ara hem de configurar cada domini, o subdomini, per tal que l’Apache sàpiga connectar-se a Google. Podem fer-ho directament al fitxer d’apache /var/www/vhosts/system/DOMINI.TLD/conf/httpd.conf però en aquest exemple, utiltizem un servidor gestionat amb Plesk, aquests canvis es perdrien al reconfigurar el domini, per això és millor fer-ho a través del panell de plesk: Dominis > DOMINI.TLD > Apache & nginx Settings > Additional directives for HTTPS …
OIDCProviderMetadataURL https://accounts.google.com/.well-known/openid-configuration OIDCClientID XXXXXXXXXXXXXX.apps.googleusercontent.com OIDCClientSecret XXXXXXXXXXXXXX # OIDCRedirectURI is a vanity URL that must point to a path protected by this module but must NOT point to any content # https://gluu.org/docs/ce/integration/sswebapps/openidc-rp/ diu: don't set this to a path used by your server. The apache-filter uses the redirect_uri to process the response from the OpenID Provider OIDCRedirectURI https://DOMINI.TLD/protegitambOpenID/callBack/ OIDCCryptoPassphrase XXXXXX OIDCScope "openid email profile" OIDCSessionInactivityTimeout 864000 OIDCSessionMaxDuration 0
OIDCClientID i OIDCClientSecret ho hem d’agafar de Google: https://console.developers.google.com/ > Googles APIs > Credenciales > IDs de cliente de OAuth 2.0
OIDCRedirectURI és una URL de comunicació entra Apache i Google que ha d’existir, per tant…
OIDCCryptoPassphrase és un contrasenya que decidim nosaltres per encriptar les comunicacions entre el servidor i Google
OIDCSessionInactivityTimeout és el temps màxim d’inactivitat abans no es tanqui la sessió, per defecte són 5 minuts (300 segons), en aquest cas ens interessa deixar-ho a 24 hores (3600 x 24 = 86400) que és el màxim permès.
OIDCSessionMaxDuration és el temps màxim que pot durar la sessió, per defecte són 8 hores (28800 segons). Si ho deixem a 0, ho defineix el token del proveïdor (Google en aquest cas)
mkdir /var/www/vhosts/DOMINI.TLD/httpdocs/protegitambOpenID/ && /var/www/vhosts/DOMINI.TLD/httpdocs/protegitambOpenID/callBack/
altres opciones que hem descartat…
## OIDCProviderBackChannelLogoutSupported On ## OIDCSessionType server-cache[:persistent]|client-cookie[:persistent] # OIDCDefaultLoggedOutURL https://DOMINI.TLD/protegitambOpenID/index.php # OIDCDefaultURL https://DOMINI.TLD/protegitambOpenID/index.php # OIDCProviderEndSessionEndpoint https://www.google.com/accounts/Logout
Tornant a Google, hem de definir quines són les URL que ens interessen (https://console.developers.google.com/ > Googles APIs > Credenciales > IDs de cliente de OAuth 2.0) …
Orígens de JavaScript autoritzats…
https://DOMINI.TLD
URIs de redirecció autoritzats…
https://DOMINI.TLD/protegitambOpenID/callBack/
Ja quasi hem acabat, ara només ens falta definir a partir de quin directori requerim aquesta autenticació i quins usuaris permetem, aquest exemple, només usuaris de DOMINI.TLD …
touch /var/www/vhosts/DOMINI.TLD/httpdocs/protegitambOpenID/.htaccess echo>/var/www/vhosts/DOMINI.TLD/httpdocs/protegitambOpenID/.htaccess "AuthType openid-connect" echo>>/var/www/vhosts/DOMINI.TLD/httpdocs/protegitambOpenID/.htaccess "Require claim hd:DOMINI.TLD"
Altres opcions del fitxer .htaccess…
AuthType openid-connect Require claim hd:DOMINI.TLD # Require claim email~^[a-zA-Z0-9_.+-]+@(?:(?:[a-zA-Z0-9-]+\.)?[a-zA-Z]+\.)?(DOMINI)\.TLD$ # Require valid-user # Require claim email:XXXXXXXXXX@gmail.com # Require user XXXXXXXXXXX@accounts.google.com
Alguns recursos utilitzats…
https://stackoverflow.com/questions/24675976/how-to-authenticate-domains-on-apache-with-google-apps
http://findingscience.com/mod_auth_openid/
https://stackoverflow.com/questions/37557703/user-list-for-mod-auth-openidc
https://github.com/zmartzone/mod_auth_openidc/blob/master/auth_openidc.conf
https://github.com/zmartzone/mod_auth_openidc/wiki
https://openid.net/specs/openid-connect-frontchannel-1_0.html
https://openid.net/specs/openid-connect-backchannel-1_0.html
https://stackoverflow.com/questions/1385082/openid-how-do-you-logout
https://stackoverflow.com/questions/1968814/how-to-add-logout-feature-to-an-openid-enabled-site
https://stackoverflow.com/questions/4202161/google-account-logout-and-redirect
https://stackoverflow.com/questions/38835222/google-api-oauth-2-0-titanium-required-parameter-is-missing-response-type
https://stackoverflow.com/questions/47235093/how-to-redirect-to-last-link-after-login-from-google-in-php
URL de proves pel retorn que ja no utilitzem (per no esborrar-les definitivament)…
https://accounts.google.com/o/oauth2/v2/auth?client_id=861350014651-cd0ntto3g5dflg9vh3vgvksjvdo8sqge.apps.googleusercontent.com&response_type=code&scope=email&nonce=1232314&redirect_uri=https://DOMINI.TLD/protegitambOpenID/index.php
https://accounts.google.com/Logout?client_id=861350014651-cd0ntto3g5dflg9vh3vgvksjvdo8sqge.apps.googleusercontent.com&response_type=code&scope=email&nonce=1232314&redirect_uri=https://DOMINI.TLD/protegitambOpenID/index.php
https://www.google.com/accounts/Logout?continue=https://accounts.google.com/o/oauth2/v2/auth?client_id=861350014651-cd0ntto3g5dflg9vh3vgvksjvdo8sqge.apps.googleusercontent.com&response_type=code&scope=email&nonce=1232314&redirect_uri=https://DOMINI.TLD/protegitambOpenID/index.php
https://www.google.com/accounts/Logout?continue=https://accounts.google.com/o/oauth2/v2/auth?client_id=861350014651-cd0ntto3g5dflg9vh3vgvksjvdo8sqge.apps.googleusercontent.com&response_type=code&scope=email&nonce=1232314&redirect_uri=https://DOMINI.TLD/protegitambOpenID/index.php
https://www.google.com/accounts/Logout?continue=https%3A%2F%2Faccounts.google.com%2Fo%2Foauth2%2Fv2%2Fauth%3Fclient_id%3D861350014651-cd0ntto3g5dflg9vh3vgvksjvdo8sqge.apps.googleusercontent.com%26response_type%3Dcode%26scope%3Demail%26nonce%3D1232314%26redirect_uri%3Dhttps%3A%2F%2FDOMINI.TLD%2FprotegitambOpenID%2Findex.php
https://www.google.com/accounts/Logout?continue=https%3A%2F%2Faccounts.google.com%2Fo%2Foauth2%2Fv2%2Fauth%3Fclient_id%3D861350014651-cd0ntto3g5dflg9vh3vgvksjvdo8sqge.apps.googleusercontent.com%26response_type%3Dcode%26scope%3Demail%26nonce%3D1232314%26redirect_uri%3Dhttps%3A%2F%2FDOMINI.TLD%2FprotegitambOpenID%2F%3Flogout%3Dget
https://www.google.com/accounts/Logout?continue=https%3A%2F%2Faccounts.google.com%2Fo%2Foauth2%2Fv2%2Fauth%3Fclient_id%3D861350014651-cd0ntto3g5dflg9vh3vgvksjvdo8sqge.apps.googleusercontent.com%26response_type%3Dcode%26scope%3Demail%26nonce%3D1232314%26redirect_uri%3Dhttps%3A%2F%2FDOMINI.TLD%2FprotegitambOpenID%2F%3Flogout.php
https://www.google.com/accounts/Logout?continue=https%3A%2F%2Faccounts.google.com%2Fo%2Foauth2%2Fv2%2Fauth%3Fclient_id%3D861350014651-cd0ntto3g5dflg9vh3vgvksjvdo8sqge.apps.googleusercontent.com%26response_type%3Dcode%26scope%3Demail%26nonce%3D1232314%26redirect_uri%3Dhttps%3A%2F%2FDOMINI.TLD%2FprotegitambOpenID%2F%3Flogout%3Dlogout.php
https://www.google.com/accounts/Logout?continue=https%3A%2F%2Faccounts.google.com%2Fo%2Foauth2%2Fv2%2Fauth%3Fclient_id%3D861350014651-cd0ntto3g5dflg9vh3vgvksjvdo8sqge.apps.googleusercontent.com%26response_type%3Dcode%26scope%3Demail%26nonce%3D1232314%26redirect_uri%3Dhttps%3A%2F%2FDOMINI.TLD%2FprotegitambOpenID%2Flogout.php
https://DOMINI.TLD/protegitambOpenID/index.php
https://accounts.google.com/signin/oauth/oauthchooseaccount?client_id=861350014651-cd0ntto3g5dflg9vh3vgvksjvdo8sqge.apps.googleusercontent.com&as=L0AYJcQRWis-_nw1ZB27NQ&destination=https%3A%2F%2FDOMINI.TLD&approval_state=!ChR2cTJUZ1AyV0dBd255SlFKdk15LRIfazVZRVUteXUxOWNjMEVBN1JaNXdOM1BOLVdwUWh4WQ%E2%88%99APNbktkAAAAAXEg8r9e1yaoQiGYtGddcXljCQqVyIAJn&oauthgdpr=1&xsrfsig=ChkAeAh8T9_6DKlq45PStu_-U9jd41O_1NFGEg5hcHByb3ZhbF9zdGF0ZRILZGVzdGluYXRpb24SBXNvYWN1Eg9vYXV0aHJpc2t5c2NvcGU&flowName=GeneralOAuthFlow